|
|||
isakmp to ipsec
I am trying to convert from isakmp.conf/iskmpd.policy to ipsec.conf and I am using preshared keys.
Here are the configs. I want to use ipsec.conf as I can’t seem to get it to work with isakmp.conf. Can I get a little assistance with this? The whole idea is to allow remote clients (spokes) use the greenbow vpn client to connect to an openbsd box that is at the office (hub). Thanks Right now I get this error --> Nov 16 15:12:29 vpnKim isakmpd[8569]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Nov 16 15:12:29 vpnKim isakmpd[8569]: message_negotiate_sa: no compatible proposal found Nov 16 15:12:29 vpnKim isakmpd[8569]: dropped message from 9.2.9.2 port 51717 due to notification type NO_PROPOSAL_CHOSEN # cat /etc/isakmpd/isakmpd.conf [General] Retransmits= 3 [Phase 1] default = thegreenbowP1 [Phase 2] Passives-connections= thegreenbowP2 [thegreenbowP1] Phase= 1 Transport= udp Address= 0.0.0.0 # change this Configuration= Default-main-mode Authentication= seriously? [thegreenbowP2] Phase= 2 ISAKMP-peer= thegreenbowP1 Configuration= Default-quick-mode Local-ID= network_corporate Remote-ID= client_thegreenbow [network_corporate] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.0.0.0 [client_thegreenbow] ID-type= IPV4_ADDR Address= 10.3.100.1 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password Example of configuration between TheGreenBow VPN client and OpenBSD Authorizer: "POLICY" Licensees: "passphrase: seriously?" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "aes" && esp_auth_alg == "hmac-sha" -> "true"; GREENBOW CONF [General] Shared-SADB = Defined Retransmits = 2 Exchange-max-time = 15 Default-phase-1-lifetime = 3600,360:28800 Bitblocking = 0 Xauth-interval = 60 DPD-interval = 30 DPD_retrans = 5 DPD_wait = 15 [Default-phase-2-lifetime] LIFE_TYPE = SECONDS LIFE_DURATION = 3600,300:28800 # ==================== PHASES 1 ==================== [Phase 1] 8.8.8.6 = tgbtest-P1 [tgbtest-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-GRP2 [tgbtest-P1] Phase = 1 Address = 8.8.8.6 Transport = udp Configuration = tgbtest-main-mode Authentication = "seriously?"" # ==================== PHASES 2 ==================== [Phase 2] Manual-connections = tgbtest-tgbtest-P2 [tgbtest-tgbtest-P2] Phase = 2 ISAKMP-peer = tgbtest-P1 Local-ID = tgbtest-local-addr Remote-ID = tgbtest-remote-addr Configuration = tgbtest-quick-mode AutoStart = 0 USBStart = 0 # ==================== Ipsec ID ==================== [tgbtest-local-addr] ID-type = IPV4_ADDR Address = 10.3.1.2 [tgbtest-remote-addr] ID-type = IPV4_ADDR_SUBNET Network = 10.0.0.0 Netmask = 255.0.0.0 # ==================== TRANSFORMS ==================== [tgbtest-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = tgbtest-quick-mode-suite [tgbtest-quick-mode-suite] Protocols = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN [TGBQM-ESP-AES128-SHA-PFSGRP2-TUN] PROTOCOL_ID = IPSEC_ESP Transforms = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF [TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF] TRANSFORM_ID = AES KEY_LENGTH = 128,128:256 AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION = MODP_1024 ENCAPSULATION_MODE = TUNNEL Life = Default-phase-2-lifetime # ==================== CERTIFICATES ==================== |
|
|||
I figured out the previous one. for some reason I had to make ike active on both sides before i was able to peer both lans. Not sure why that solved, it but you probably know better.
Yet to try out the fqdn connection but should do that this weekend so no update on that yet. Yes I kind of like the "constantly evolving use of IPSec on OpenBSD" ...... its fun isnt it, and I am learning a lot from it. And thanks to you i dont get stuck for too long (whenever I do) I think this line is all I needed. (Hopefully) Code:
ike passive esp from any to <nic> psk <string> |
|
|||
ok so ran into another problem.
Seems like the any to any is not helping out. I read this thread and basically i am expirencing same problem. The solution from greebbow site does not make much sense to me. i get an error on the BSD box saying responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.3.1.2, responder id 10.0.0.0/255.0.0.0 and on the VPN client saying i get wrong remote ids and the errors show in the pic. basically I want anyone with the right creditials to be able to connect thus the any. not sure what the remote id means. Greenbow says Remote ID is the identity the VPN Client is expecting to receive during Phase 1 from the VPN gateway. This identity can be: · an IP address (type = IP address), for example: 80.2.3.4 · a domain name (type = DNS), e.g. gateway.mydomain.com · an email address (type = Email), e.g. admin@mydomain.com · a string (type = KEY ID), e.g. 123456 · a certificate issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity is not set, VPN gateway's IP address is used. Any thoughts as to the issue. Thanks |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
dhcpd, dhcrelay, and ipsec VPN | dontek | OpenBSD General | 2 | 22nd May 2010 08:52 PM |
connect to an other site using ipsec-nat | wesley | OpenBSD Security | 30 | 23rd September 2009 09:41 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |